0

我是春季安全的新手。我正在关注本教程

http://www.mkyong.com/spring-security/spring-security-form-login-example/

当我们请求欢迎页面时一切正常,它重定向到登录表单,然后在输入凭据后给出欢迎页面。问题是当我单击注销时它确实注销但欢迎页面仍然可以访问我们我点击 ...@localhost/SpringSecurity2 /欢迎,它不要求登录。我猜它与会话有关,但没有得到如何解决这个问题。我也使用了 delete-cookies="JSESSIONID" 但它不起作用。

我只想当用户注销并再次点击欢迎 url。他应该被引导到登录表单而不是欢迎页面,因为它需要身份验证。很快需要帮助我的安全xml如下

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

    <http auto-config="true">
        <intercept-url pattern="/welcome*" access="ROLE_USER" />
        <form-login login-page="/login" default-target-url="/welcome"
            authentication-failure-url="/loginfailed" />
        <logout 
        logout-success-url="/logout" />

    </http>

    <authentication-manager>
      <authentication-provider>
        <user-service>
            <user name="mkyong" password="123456" authorities="ROLE_USER" />
        </user-service>
      </authentication-provider>
    </authentication-manager>

</beans:beans>
4

1 回答 1

0

最好的方法是通过如下SessionFilter实现类来编写类。javax.servlet.Filter

package com.filter;
public class SessionFilter implements Filter {
    @Override
    public void destroy() {
        // TODO Auto-generated method stub

    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res,
            FilterChain arg2) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        HttpSession session = request.getSession(false);
        if(null == session){
            response.sendRedirect("/login.html");
        }
    }

    @Override
    public void init(FilterConfig arg0) throws ServletException {
        // TODO Auto-generated method stub

    }
}

并在您的web.xml文件中提及它,如下所示

<filter>
    <filter-name>SessionFilter</filter-name>
    <filter-class>com.filter.SessionFilter   
</filter-class>

并且不要忘记使用以下语句在注销控制器中使您的会话无效

request.getSession().invalidate();

希望这能解决你的问题

于 2013-09-05T08:34:30.510 回答